Harry
I had a similar issue recently. I "fixed" that by making the Guacamole WAR the
root of the Tomcat server. Add a Context section similar to this:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="guacamole" debug="0"
reloadable="true"></Context>
inside the Tomcat server.xml and restart it. You will also need to change the
ProxyPass lines in Apache.
Cheers
Jon
On Wed, 2024-12-18 at 14:02 +0000, Devine, Harry (FAA) wrote:
Also, I am doing a ProxyPass to proxy the traffic through Apache to the
Guacamole backend on 8080:
<Location />
Order allow,deny
Allow from all
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
</Location>
Not sure how this plays into things. But when I sign into the SAML with my
smart card, that works, and the redirect back just keeps sending me back to the
Okta MFA page, which detects I’m already logged in, and redirects back to
Guacamole, and the cycle continues for a while until the 429 Too Many Requests
comes across.
Thanks,
Harry
From: Devine, Harry (FAA) <[email protected]>
Sent: Tuesday, December 17, 2024 3:26 PM
To: [email protected]
Subject: RE: Question about callback URL with SAML configuration
CAUTION: This email originated from outside of the Federal Aviation
Administration (FAA). Do not click on links or open attachments unless you
recognize the sender and know the content is safe.
I’m not really getting any errors in the Tomcat logs or /var/log/messages. I
eventually just get a 429 Too Many Redirects error. And the callback I’m
referring too is what we need to put into the saml-callback-url propery in
/etc/guacamole/guacamole.properties. Currently, we have the server name itself
(https://<server<https://%3cserver>>). I’m assuming that needs to be something
different.
Thanks,
Harry
From: Nick Couchman <[email protected]<mailto:[email protected]>>
Sent: Tuesday, December 17, 2024 3:20 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: Question about callback URL with SAML configuration
CAUTION: This email originated from outside of the Federal Aviation
Administration (FAA). Do not click on links or open attachments unless you
recognize the sender and know the content is safe.
On Tue, Dec 17, 2024 at 3:13 PM Devine, Harry (FAA)
<[email protected]<mailto:[email protected]>> wrote:
We are on Guacamole 1.5.4 at the moment, and we have a mandate to implement
MFA. We have been working with our IT department and using a test Guacamole
server for the configuration testing. We were initially trying OpenID but we
kept getting an invalid response_type value. So they suggested SAML, which we
implemented and proved that we could log in. However, we do get an error from
Guacamole because the MFA doesn’t seem to know how to return the response back
to our Guacamole server.
What error are you seeing? And what messages are you getting in the logs?
So, my question is: how to I implement or configure the Callback URL on our
Guacamole server so the response that comes back can be retrieved?
Are you talking about the callback URL in the Guacamole configuration, or one
specific to the SAML IdP?
-Nick
